Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > May 2007 > DDoS Attacks Against Estonian Websites

May 2007

DDoS Attacks Against Estonian Websites

ID: 134
Ref: 076/2007
Date: 21 May 2007:16:18:18
Version: 1
Title: DDoS Attacks Against Estonian Websites
Abstract: Comment on DDoS attacks against estonian websites

You will have seen recent media reporting of distributed denial of service (DDoS) attacks against a number of Estonian websites, including government and banks. The Estonian authorities have reported seeing significant DDOS traffic from a wide range of addresses and a number of diverse geographic locations. The traffic is likely to be the result of directed attack from Botnets.

Whilst there is no evidence of any similar attack aimed at UK interests, this is an opportune moment to remind UK businesses of the importance of having in place appropriate business continuity measures to mitigate any such attack.

Following the media reporting, CESG's GovCERTUK released advice to its UK Public Sector community (see annexe). That advice applies equally to wider UK business. NISCC published two documents giving advice about DDoS and Botnets in 2005 and 2006. The advice in those publications is still relevant. Copies of those documents can be found on the CPNI website at the addresses below.

CPNI will continue to monitor the situation and will provide further updates if necessary.

Recommended reading

NISCC Viewpoint 05/2006
Distributed Denial of Service (DDoS)
URL: http://www.cpni.gov.uk/docs/VP0506.pdf
- This paper provides advice on how to protect your organisation from DDoS attacks.

NISCC Briefing 11a/2005
Botnets - the threat to the Critical National Infrastructure
URL: http://www.cpni.gov.uk/docs/botnet_11a.pdf
- This paper has been written to inform the reader of the threat posed to the Critical National Infrastructure by Botnets.

------

Annexe - GovCERTUK's advice to UK Public Sector community

We have had several telephone calls to GovCertUK from our constituency regarding the electronic attacks against high profile Estonian websites and critical infrastructure. The interest in this incident has been raised significantly due to the press coverage in the UK over the last few days.
The attacks are relatively low in sophistication, but have been highly effective due to the large number of compromised machines involved in the DDoS. Several of our constituents have expressed concern about how UK Government could defend against such attacks in the future.

It is difficult to defend against a sophisticated DDoS attack without impacting legitimate business use, as the attacker can potentially make it difficult to determine whether or not an incoming request for a service is from an automated 'bot' or a real customer. The best defence against these types of attack is to ensure that you have appropriate monitoring to detect the onset of an attack and a comprehensive business continuity plan in place that provides contingency against such attacks.

Potential contingency plans could include plans for working with your upstream ISPs, the possibility of having backup IP address ranges and Internet links (preferably with different ISPs at different physical locations) and having load balancing/filtering to reduce known bad traffic.
If a low-sophistication attack is seen, such as those recently against Estonia, it should be possible to filter out the attacker's traffic.
Collaboration with upstream ISP's is still essential however, as filtering must be carried out at the highest level to prevent your network bandwidth being saturated to an unusable level.

In the event of UK Government being attacked from outside the UK, GovCertUK will be able to collaborate with the main service providers to potentially filter IP traffic originating from outside the UK.

<End of GovCERTUK Advisory>

______________________________________________________________________________

CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________

<End of CPNI Advisory>

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |